mirror of
https://github.com/falcosecurity/falco.git
synced 2025-08-11 19:12:12 +00:00
Allow to whitelist config modifiers
Signed-off-by: Claudio Vellage <claudio.vellage@pm.me>
This commit is contained in:
Claudio Vellage
poiana
parent
a5d3663c75
commit
4705a92c49
@ -443,6 +443,9 @@
|
|||||||
- list: shell_config_directories
|
- list: shell_config_directories
|
||||||
items: [/etc/zsh]
|
items: [/etc/zsh]
|
||||||
|
|
||||||
|
- macro: user_known_shell_config_modifiers
|
||||||
|
condition: (never_true)
|
||||||
|
|
||||||
- rule: Modify Shell Configuration File
|
- rule: Modify Shell Configuration File
|
||||||
desc: Detect attempt to modify shell configuration files
|
desc: Detect attempt to modify shell configuration files
|
||||||
condition: >
|
condition: >
|
||||||
@ -452,6 +455,7 @@
|
|||||||
fd.directory in (shell_config_directories))
|
fd.directory in (shell_config_directories))
|
||||||
and not proc.name in (shell_binaries)
|
and not proc.name in (shell_binaries)
|
||||||
and not exe_running_docker_save
|
and not exe_running_docker_save
|
||||||
|
and not user_known_shell_config_modifiers
|
||||||
output: >
|
output: >
|
||||||
a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
|
a shell configuration file has been modified (user=%user.name user_loginuid=%user.loginuid command=%proc.cmdline pcmdline=%proc.pcmdline file=%fd.name container_id=%container.id image=%container.image.repository)
|
||||||
priority:
|
priority:
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user